comparemela.com

Modernize Information Technology across government agencies. Hearinge subcommittee is from the Personnel Management , the one Budget Office and the education department. This is about 2. 5 hours. 2, one. [gavel] welcome, everybody to the Sub Committee on government operations. And our hearing. Pursuant togin, house rules, most members today webex, remotely. Some members are appearing in person, or at least this member is, let me remind you that all individuals attending the hearing in person must wear a face mask. I am dropping mine only to speak. Maskrs not wearing a face will not be recognized. Let me also make some reminders for those appearing in person. You will only see witnesses appearing remotely on the monitor in front of you. In activeare speaking speaker view. A timer is visible in front of you. Remotely,attending let me remind everybody about points. First, you will be able to see each person speaking during the hearing whether they are in person or remote as long as you have your webex set to active speaker view. If you have any questions, Contact Committee staff and they will try to be helpful. Second, we have a timer that should be visible on your screen when you are in the active speaker with thumbnail view. Members who wish to pin the timer to their screens should Contact Committee staff for assistance. Third, house rules require that we see you, so please have your cameras turned on if you are on remotely on webex during this hearing. Fourth, members appearing remotely who are not record should remain muted. Fifth, i will recognize members verbally but members can seek recognition verbally in regular order. Members will be recognized otherwise in seniority order for questions. Lastly, if you want to be recognized outside of regular order, you can identify in several ways, use the chat function, send an emailed to majority staff, or unmute yourself to seek recognition verbally, although that is the least preferable way to do it. Obviously we dont want people talking over each other. Ok. S see i will begin with my opening statement. Remotely. You are on mr. Heise yes, sir. I am here. Rep. Connolly i am glad that you are there, i know you are in glad we havend im a remote option so you can participate fully in a help thing i hope everything will be ok. Today marks the 10th hearing the tara. Agencies in process andncy procurement. Im happy to announce this study oversight has produced the first scorecard in which all agencies receive a passing grade. This achievement is a testament to the hard work of federal agenciess chief Information Officers and also i think to this committee and subcommittees study bipartisan wersight for tara since enacted it 2014. This is most this is not just about passing grades, it is about taxpayer dollars saved, and serving the nation more effectively and efficiently. During the pandemic, we i. T. Stand how vital strong is to the government and the people we serve. You have certainly seen limitations because a lack of i. T. Investment, whether it be with the Small Business administration or the struggles of the irs to provide personal checks to allonal citizens and dependents in america. Weve also seen limitations in unemployment systems in the 50 spect of states. It underscores 50 respective states. It underscores the problems. Firstember 2015 when we released the scorecard, i said i hoped it would be the first in gaugegs where we would the transformative nature of transforms. Five years later, i think the benefits of the oversight are clear, and one would be hardpressed to find sustained a partisan Congressional Initiative on its 10th installation. Agencies have made real improvements on the scorecard and i think we are putting it up over there on that screen. Over a period of time. Averageber 2015, the grade was a d across all participating agencies. This year for the first time, no agency received a d and no agency of course received an f. These improvements represent dollars saved and improvements. Is theatest impact portfolio review process. This process enables agencies to reduce spending and demonstrate how i. T. Investments align with the Agencies Mission and business function. Savent from helping agency 3 billion in fiscal 2015 to 20 billion this fiscal year. When the licensing metric was first added to the scorecard in june of 2017, 21 out of 24 agencies received an f for that metric. Now, 23 out of 24 agencies have as and an inventory of Software Licenses and use that inventory to make costeffective decisions and avoid duplications. Federal agencies are also closing and consolidating more data centers, resulting in significant cost savings. The 24 graded agencies have a total of 47 billion dollars in cost savings for fiscal years 2012 through 2019. Those agencies have also reported plans to save more than 264 million this fiscal year alone. First hearing, witnesses stated that i. T. Is no longer just the business of the cio. Rather, it is everyones business. Never has this been clearer than in the wake of the coronavirus pandemic, where i. T. Has saved thousands of lives by enabling people to telework, and keeping the government and economy running while preserving health and safety. We have seen firsthand how the agencies that continued to use outdated i. T. During the pandemic prevented the delivery of Government Services when the public needed them most. Cautioned that the scorecard was not to be considered a Scarlet Letter but a point in time, a snapshot to measure progress and incentivize it. Scorecardsand 10 later, we are at a point where all agencies have received passing grades. The first time ever. 10. 0 reflects five years of progress. Initially it consisted of four metrics, including data consolidation, portfolio review savings, incremental audit delivery, and Risk Assessment transparency. Since then, the scorecards success has led the subcommittee to incorporate other aspects of i. T. Into the grades. Our framework is not rigid like the best of i. T. , it evolves. We augmented and changed the scorecard to examine other components such as cybersecurity, and constructive feedback. Today, it incorporates grades adapted from three additional pieces of legislation, including themegabyte act, modernizing Government Technology act and federal information and security act. Scorecard line, the continues to hold agencies accountable and show the American People that they deserve the best i. T. Has to offer. Agencies still have work to do. Today, two thirds of graded agencies report directly to the header deputy of the agency. Upon true that more cios, getting a seat at the table with c suite positions. But we will hear today that none of the 24 graded agencies have established policies that fully address the role of cio as required. We must continue to work to have theat all cios authority and policies in place to properly do their jobs. Discuss whichill existing metrics have achieved their goals and which might need to be considered for retirement. We will also start a careful discussion about what metrics might be incorporated in future scorecards it to continue to improve i. T. Across the government. In other words, we will continue the scorecard. From ourhope to hear witnesses about what it takes to continuously improve and use efficient i. T. Acquisition and Management Practices to do that. What powers and authorities might cios and governments need to improve i. T. , and in turn, what oversight will be provided to congress and the public to ensure the new powers are used effectively and efficiently . To modernizenue legacy systems, migrate to the cloud and maintain a strong cyber posture. Surging,coronavirus the stakes for effectively implementing tara are perhaps higher than ever. When executed well, modernization can ensure efficient delivery of Government Services and save lives. When executed poorly, it can unfortunately lead to outright failures in serving the American People when they need government the most. Put, the state of the Worlds Largest economy, it is no exaggeration to say, lies in the ability of government i. T. Systems to deliver in an emergency. The importance of federal agenciess effective use of i. T. Is to important to ignore in this subcommittee will continue oversight of acquisition and management as we move forward. With that, i call upon the Ranking Member. Connelly. Ou, chairman and thank you for holding this hearing today on the scorecard. As you know, this has literally been a bright spot of bipartisan work for this committee and i look forward to personally see thedevelopment see the villain of the scorecard usefulness as relates to reform. I would also like to take a moment and give a shout out to of thanks to the outgoing chief information officer, who has been extremely dedicated in our service and it is deeply appreciated. As you know, enhanced cio authority is one of the pillars, literally, of the fitara, the whole system. Ms. Kent has done an outstanding job with her leadership and enthusiasm to really help drive some of the i. T. Modernization effort that have been outlined in the president s management agenda. We are grateful for her leadership in service and hope to continue to build upon the initiatives she has championed. We areshared, chairman, here today to discuss the 10th fitara scorecard. Agencies have made tremendous progress, as you mentioned, over the past five years. I want to congratulate them on their dedication to improve the i. T. Procurement and management processes. A job well done. Some of the things we have seen, accomplished over the last several years, include, as you mentioned, savings of literally billions of dollars, we have increased transparency for risky coursevestments, and of the elevation of the cio position and authority within the agency. For all of these successes, we are very grateful for what has been done, but obviously it is more that needs to be accomplished. I would suggest that some of those things, we need to continue to update the metrics so they better and more effectively match the implementation practices being used today. I also think it is imperative that we as a committee put in place the right kind of incentives to bring about i. T. Modernization at scale. Pandemic, is to the think this has highlighted to us the heavy reliance we have on some legacy systems and longstanding technology problems. To get to find ways agencies to move the needle on crucial issues. Somenk lastly, we need forwardlooking, if you will, metrics to help modernize government as a whole. Some of those things would moving forward as it relates to citizenss experience. I think you referred to that, mr. Chairman, and i think its important we move in that direction. Enhancing the skills of the federal i. T. Workforce. Toward aall, moving more agile and secure Cloud Computing environment. All of these things i think are extremely important as we continue moving toward, and i look forward to hearing from witnesses today, and in advance, i want to say thank you to our witnesses for being here. We appreciate your time and expertise you will bring to the table. With that, i yield back, thank you, sir. Rep. Connolly thank you, and i want to thank you personally, we have talked about this. This subcommittee has always had a strong bipartisan thrust, especially on this subject. With darrell issa and aning fitara, expanding on it, and the scorecard, and with mr. Meadows, now the chief of staff to the president. You pledged to do the same and i very much appreciate that and look forward to continuing to work with you and i hope you are ok and healthy in georgia. Thank you for your remarks. Ms. Harris, if you would unmute yourself in order to be sworn in, and about three witnesses here would rise and raise your right hands. Do you swear and affirm that the testimony youre about to give us the truth, the whole truth, and nothing but the truth, so help you god . Let the record show all answered in their performance the affirmative. Harris,ll on carol director of i. T. Management issues of the Government Accountability office to give us her summary testimony. Welcome, ms. Harris. You chairman,ank Ranking Member and members of the Sub Committee. I would like to thank you and your excellent staff or your continued oversight for i. T. Management and cybersecurity with this set of grades. It has been nearly five and half years since fitaras enactment, and it is a good barometer. During this time, agencies have made significant progress. In the latest scorecard, there bs, and 14 cs. This is the first time all 24 agencies have received a passing grade. In addition, the agency with the greatest of transformations has been the department of education, moving from f to bplus. I will go over where things stand now and where we need to go. First, progress made. I will start with incremental development. The number of major i. T. Projects using criminal develop and has increased from 58 to 76 . In addition, the level of transparency on the dashboard has improved with 61 of Major Projects red or yellow as opposed to 24 on the first. The first scorecard. Tohave also gone from 2 as 23. Agencies have also closed more than 6300 data ofters and saved just shy 2300 in this initiative. The progress would not have happened without the scorecard and oversight. While these are, schmitz are noteworthy, significant actions remain to build on the progress in this brings me to the next point on where we are at. One third of the agency cios are still not reporting to agency heads. Have told us this is critical to carry out responsibilities. It gives cios seat at the table and will likely attract more qualified individuals to these positions over time. Also, about half of the agencies have not established capital fund to transfer from legacy systems. Roughly 80 of the over 90 billion spent annually on federal i. T. Is operations and maintenance, including on legacy systems. The savings from Software Licenses, data optimization and portfolios that can be reinvested in agency i. T. Modernization priorities. If each of these agencies did this, the grades would improve. Are achievablens by the next scorecard. Turning to data centers. We remain concerned about the current guidance that revives the classification of data centers and Data Center Optimization metrics. For example, the new data Center Definition excludes more than 2000 facilities that agencies previously reported on. Many of these excluded facilities represent what omb itself has identified as possible security risks. The changes will likely slow down or even halt important progress agencies should be making to consolidate, optimize and secure data centers. Finally, regarding where we need to go on the scorecard, the preview of the telecommunications transition an areaw attention to historically neglected by the agency. For example, had a prior telecom transition occurred on time, agencies could have saved 330 million. As i testified earlier this year, the agencies are behind schedule and could again be missing out on hundreds of millions in savings. Anr scorecard will be effective means for Holding Agencies accountable and ensuring a timely transition. Mr. Chairman, this concludes my comments and i look forward to your questions. Rep. Connolly thank you, ms. Harris, i look forward to those questions as well. Claire montarona . Do i have that right . For recognized for five minutes. Thank you for the opportunity to discuss the status of Information Technology at the office of Technology Management and provide thoughts on the future of fitara. I joined opm as the seventh cio in seven years and entered an agency with several key challenges, critical vacancies, antiquated and fragile tohnology and the need to ther the dtsa department of defense, which we hope to complete this fall. Coming from the private sector, this is admittedly a complex operating varmint. Meeting and allen singh executive, meeting and balancing various demand while working in an inflexible budget cycle is challenging. But i would like to focus on what is possible. One of the first authorities i learned about was fitara. With anit provides me operating framework and a mandate to make enterprise i. T. Decisions and to teach investments that make best use of taxpayer dollars. I have received a steady stream leadershipfrom opm have i am sorry i received a steady stream of support from opm leadership to meet fitara by establishing an enterprise i. T. Strategy. We are enabling organizations as we move forward in this direction. We are extremely proud of aising opms fitara score to c plus. With only one net new hire and only a small increase in funding we have made significant progress and show people within opm what is possible, like rolling out new laptops across the organization and moving to cloud email. This has enabled us to continue meeting our mission while dcsa employees during the pandemic. A few weeks ago, the dedicated cio Team Successfully migrated our mainframe platform from the Teddy Roosevelt elting here in d. C. To a commercial data center. Our systems are now fully operational in a new, modern environment with continuity of operations in place. Dailye transition the i. T. Operations of this Important National Security Mission to our colleagues at the department of defense this fall, opm will be able to focus on opms mission and begin our modernization journey. I would like to touch on some enhancements to fitara that could drive additional modernization at opm and across government. The first is flaunting funding flexibility. Our legacy funding model with seven streams for cio creates incredible complexity and inflexibility to address i. T. Challenges. By standing up a working capital fund with transfer authority dedicated to i. T. Enterprise investment and cio oversight and authority over this funding, we will create enterprise efficiencies and measurable cost avoidance. Employees deserve the tools ive had the benefit of them benefit of in the private sector. Rescaling with the Customer First mindset, using modern tools, Agile Development and using modern technology is essential. Our modernization strategy begins with upgrading our existing paperbased processes and workflows with modern electronic equivalents, allowing us to retire endoflife systems. All of these are possible if we work on modernizing opm together and giving opm customers the 21st century experience they deserve. I look forward to working on this digital modernization journey together. Andk you for the invitation i look forward to your questions. Rep. Connolly thank you fitara thank you ms. Martonara. Mr. Gray, you are recognized for five minutes. Mr. Gray thank you for this opportunity to appear before you today to talk about the progress the department of education has made in implementing fitara. I would also like to thank you for your continued support to improving i. T. Management across the federal government. I appreciate the support i received from secretary devos. It has been critical to the department fitara implementation. I also want to thank everyone in my office for their hard work and commitment to dedication. I would like to briefly show an update on our efforts and describe the impact fitara has had on my ability to effectively manage the department i. T. In my june 2019 testimony, i shared the Department Head completed a massive wholesale modernization of i. T. Infrastructure. This effort transformed the way my Office Delivers i. T. Services to the department. Within a five month timeframe, we migrated over 450 terabytes of data into a secure cloud environment and replaced approximately 5000 laptops with newer, highperforming models. Our users went from experiencing 20 minutes of laptop food uptime to less than a minute. That translates into a return on investment of more than 1500 hrs of previously lost productivity per day. The cloud environment enabled us to reduce storage costs from one dollars 40 three cents per gigabyte to . 12 per gigabyte. Saving 25 million over a fiveyear period as a result of this initiative. The department will realize cost savings but the true value of the initiative is our ability to quickly adapt and respond to the Department Needs throughout the pandemic. Doing large part to the modernization, weve been able to support a 100 work Remote Workforce with minimal impact. With staff not coming into the office, we could implement within days, not months, a solution to virtually onboard more than 300 new employees and contractors today. By fully embracing the cloud, we were also able to complete a Massive Technology refresh 28 major systems, more than 700 servers, and over 500 terabytes of data over a single weekend with no impacts to i. T. Services. In a traditional environment, this would have taken us weeks to accomplish. Without fitara, we would not have been able to complete the massive and instead last year and certainly not within the timeframe i described. It was through the reporting relationship i have with secretary devos and relationships across functional areas that i was able to drive the departments i. T. Priorities to achieve our modernization goals. The initiative was a cornerstone of our fiveyear i. T. Modernization plan and strategic roadmap and i would like to thank you for providing us with the opportunity, following my testimony last year, two brief representatives of the committee on it. When we initially developed the identifiedoadmap, we redundant systems and manual are obsolete processes. The institutionalization of fitara has provided the mechanisms to continually assess and rationalize our i. T. Portfolio and adjust our plans accordingly, from strategically aligning our Resource Management to prioritizing investments to comply with 21st century integrated experience act or evaluating the use of shared services for capabilities such as management and the Rapid Response actions required to address emergency cybersecurity directives from dhs, i can achieve a level of visibility necessary to understand the impact to department i. T. Resources. While we have made significant strides in our fitara matter is seek awe continue to working capital fund. We coordinated with congress to achieve language that would allow us to transfer funds to a working capital fund and included it in our budget request for 2020 and 2021. Respectfully request your assistance on this to enhance our ability to achieve the goals of fitara. In conclusion, we have a solid fitara framework and have demonstrated our ability to leverage it in support of our department mission. But we recognize that fitara and modernization is a journey and it is important to continually improve. I think you for your time today and look forward to your questions. Rep. Connolly thank you, mr. Gray, it is good to have you again a year later. We will try to work with you on the transformer 30 transfer authority. Our final participant in the the deputyria wrote, federal chief officer at the office of management and budget. Welcome. Thank you. Thank you for the opportunity to canuss fitara and how we continue to drive and sustaining government wide i. T. Modernization. I joined omb eight weeks ago as the deputy chief information officer, bringing a career of federal and military Technology Experience and an Agency Perspective to my role. Theugh my career ive seen value of investing in modern, Scalable Solutions and how taking prudent risks, collaborating, brainstorming and sharing ideas and concepts drives change. Cio andxperiences as a no a strong commitment with in coordination with stakeholders can improve how the government meets its mission and serve the american public. Id19 put a spotlight and on Digital Transformation and the need to adapt quickly. Every agency worked at never before experienced levels of telework and sustain performance by leveraging capabilities already in place. There was a sense of urgency and cios were entrepreneurial, creative, and agile. Scorecard,irst Technology Investments and cloud and infrastructure enabled an overall seamless transition to telework. Were ableusly, cios to rapidly deploy scalable platforms for Digital Service delivery for Covid Response activities. Services toed micro quickly stand up public facing portals and switch to Video Conferencing for telehealth, benefits interviews and to engage with customers. Cios employed virtual desktops to replace the purchase of costly hardware. The cio cancel identified areas for future investments and improvements where we need to address gaps or move faster. We must keep the momentum. Agencies were able to move fast, innovate and implement changes for more interoperability. There is a shared interest across all areas of government, congress, the executive branch and the administration to continue technology improvements. The Technology Modernization fund and i. T. Working Capital Funds and their multiyear approaches are programs instrumental in improving, retiring or replacing legacy systems. Try thedo more to sustained longterm transformation and ensure Digital First as we add value in service delivery. Throughout my career, ive had the honor to lead and work sidebyside with amazing innovators and technologists, Public Servants working for the federal government. Today, over 2 million servants use technology to carry out their jobs. Should important, we also remember the people charged with using these Solutions Must also be skilled in the use of technology. Of capability and threats continues to accelerate, we must invest in our workforce to keep skills relevant. The cio council continues to invest in the i. T. Workforce and is building on last years success with the federal Cyber Reskilling Academy to launch this month a similar Training Program in data science. This summer we are virtually holding the third annual women in i. T. Event where women in leadership positions share stories and provide mentorship and career advice to emerging leaders. We graduated two cohorts from the automation reskilling course and in september we will sraduate 20 people from the sc Career Development program. As we focus today on the 10th addition of the fitara scorecard, we must adapt to the everchanging tech knology landscape and likewise adapt the scorecard. I look forward to collaborating with you to further refine the scorecard to support sustained, longterm modernization and drive innovation. Thank you for the opportunity to speak with you today and i look forward to your questions. Rep. Connolly thank you, i appreciate that. Myself in agreement with everything you have said. It is good to learn that the administration has decided to embrace telework in light of the pandemic, given the fact that the administration was cutting back on telework the last two years. With respect to retiring legacy systems and the need for the monitor modernization fund, i am also in agreement but we need the administration to make a robust request in the budget. If we are going to make progress on that. We call on the distinguished congresswoman from the district of columbia. Ms. Norton . Ms. Norton . Mr. Lynch . Norton i am here, i am here rep. Connolly great. Just speak up a little bit. Sorry, i punch the wrong button. Thank you and thank you for this annual hearing, it is very important to be brought up to date as you have allowed our witnesses to do. , the ciosng fitara have a significant role in the decision process of the management and site processes related to Information Technology. I would have thought they had a major role to play in an agency overall. I understand that i. T. Is now based in the policy design and implementation. Ms. Estion is for harris. There are cios who dont report to agency heads. Dont, they are likely to play that key role we spoke about. Who doesnt and why dont all of them report . I think it was perhaps in your testimony or the testimony of one of you that one third do not report to the agency head and i would like to know why. Minusrstand there is a and plus to see whether people are reporting but i dont understand how agencies determine what the committee has long said would be helpful. Ms. Harris that is correct, maam. About one third of the agency cios do not have erect reporting mechanisms to the agency head and that is a problem because agency cios have reported to us that the reporting structure is very critical to allowing them to carry out their responsibilities. Can you ask plane what would be the resistance so we can work with agencies . I think in large part has to do with Agency Culture and being able to change that culture so that the cios have a seat at the table, it is vitally critical. With theake work Senior Leaders in those agencies to empower those cios, change those organization cards so cios have direct reporting capabilities and work with you all as well to make sure that happens. Rep. Norton i would like to work with the chairman to make sure there is no resistance. In the 21st century, you would have thought that having the cio at the table would just be a given. I really dont understand the resistance to it and i believe the committee could be helpful in either requiring legislation or through regulation, that the cio be at the table. Ms. Roat,question for and it has to do with the i. T. Staff. Of are these staff valuable outside of the Public Sector . Is there great competition for these staff . I would like to discuss that. And then i would like you to tell the committee what we can do to attract and keep federal i. T. Workers. Thank you for your question. , it is hard toce attract workforce to the federal government, and in turn, folks we train and the federal workforce go to the private sector and make more money. What attracts people to the federal government is the ability to focus on a mission, whether you are working for the apartment of energy or transportation or dhs, or nasa. People are excited about the mission, and that draws people to the federal government. Had experience where people want to come on board, and ive had incredible talents. Other cios have had the same experience. But to your question, it is hard to get people in. But once you do and the folks that want to come and want to stay. They love what they do. When people leave the federal government, they might go back to private industry, get more experience and maybe make more money, and then they come back to the federal government. But again, we continue to explore flexibilities in hiring, compensation and looking at ways to build skills. As i said in my opening comments, weve done a lot for the federal workforce so far through the cio council on data science, cybersecurity, and we will continue to build on those skill sets so we can maintain that workforce. Newts not just attracting workers but maintaining and educating the current workforce. Is pay a salient issue and keeping people in federal i. T. Work . Ms. Roat for people working in the i. T. World coming into the federal government, they can get compensated much more in the private sector. Thank you very much. Rep. Connolly thank you, congresswoman, and let me say in response to your query about cios, i could not agree with you more. When we wrote fitara, there were 250 people spread out over 24 agencies with the title cio. Sector how private many cios do you have an almost 100 the answer is one. So we have a lot of work to do. We did not mandate there shall we allowed it to evolve that one cio was first among equals who reported to the boss. If we need to strengthen that, we will, and we will also be guided, ms. Harris, in that matter as well. But we are making progress, and listening to testimony today, youve got relationships with the head of the agency and that makes all of the difference in the world. You have empowerment from the boss. But it is something we are mindful of and i think the distinguished congresswoman for bringing further attention to it. The chair recognizes the distinguished Ranking Member, mr. Hice. Rep. Hice thank you, mr. Chairman. One of the things i have discovered in becoming more and more familiar with this, it seems like one of the current metrics measures how much of an agencys portfolio is high risk. There is i have found no definition of what high risk is, not that ive been able to find. When i think of high risk, i think of things like vulnerability to cyberattack. What i found out is that high risk means of Something Else to others. It may mean whether the system is delivered on time and on budget. My question really, is there any comparable way agencies to define what we all mean by high risk so that we are all on the same page . Ms. Roat thank you for the question. As you portfolios across the. Programs, andity there are different definitions such as quality assets. The systems that are at high risk, are those the oldest in the federal government that perhaps need to be monetized. As we are looking at the definitions, there are separate definitions whether it is highvalue assets critical to the federal government, or those programs or systems that are high risk. Rep. Hice to me, that is part of the problem. Is there any way to get a uniform standing for what we mentioned for high risk . Or even just to prioritize the high risk category so that we know if the high risk is any of the things you mentioned, can we and should definitionfocus this a little more tightly . Should take a we look at that to make sure we are all aligned with the definitions. I mentioned three definitions thee gao is using highpriority programs and some other ones. We should ensure we are in alignment. Rep. Hice i agree. Lets try to move forward on that. Upther thing that has come when it comes to legacy i. T. It does establish whether an agency has a working capital fund. That those not say funds have to modernize old systems. What kind of metrics can we add incentivizecard to ofncies to make these kind i. T. Overhauls . Thatoat i agree with you it is imperative that we continue to modernize. The Capital Program allows agencies to have that longterm investment and to knology that is critical to modernizing. To modernizentent, the legacy systems and really drive that over multiple years. Where you have legacy systems and programs, being able to years that over multiple is how you continue to move the ball forward. With. Two people agencies two critical agencies. Rep. Hice i want to deal with the Customer Service aspect. More and more, we have people who have a problem coming to the government digitally. How can we put this kind of metric in future scorecards, making sure we are providing the customers what they need . With the idea, i think there is an opportunity to look at the Customer Experience and how they interact with the federal. There are a number of requirements for the signatures 508, so i look forward to working with you and understanding what are good metrics for that. This could evolve over time as agencies are looking to improve their website and Customer Experience with the american public. Rep. Hice i yield back. Rep. Connolly that is a good point. We would be proud to work with you on that. Harris, did you want to address the question mr. Hice raised about 100 number of highrisk about what number falls under the highrisk on the scorecard . Ms. Harris it could be caused, a certain cost threshold. Highvalue. Different agencies have different ways to define what would be high risk. Having a more uniform decision toeven having a watchlist 10 20 top critical i. T. Investments would bee government an Excellent Way to hometown with those investments are. To 20g at the top 10 Critical Missions across the government. The report will be coming september. We will be happy to work with omb to use that list as a jumping off point to have another working list for omb and the executive Branch Agencies work from. Rep. Connolly i would just say a word of caution. When we begin this category, there were agencies that claimed they had no highrisk projects. We needed to get out of that protective defensive mode to say, these are high risk for these reasons and we will monitor them but if we do, we will take quick action. Multiyear,e long, multibillion dollar Systems Integration project. There were not always milestones. We were trying to make sure that we did not make a bad thing worse. In the private sector, something goes awry, the ceo says, pull the plug. We will try some different. A little affable more difficult to do in the Public Sector. Highrisk really matters and getting it right really matters. Unwittingly to change the definition so we go back to the old days of everything is fine. It is to capture something going awry before it goes off the cliff. Forank you, mr. Hice, raising it. Sorry to impose on your time. Welcome. Followup on that sentiment. You and i know, as longterm members of this committee, it has been a history of we dont have any problems over here, we are good, until there is a where 22 did and opm, million record went out of people who were applying for security clearance and others as well. I approach this with a little bit of healthy skepticism. I am happy to hear the good report. But i have been here too long to believe all of that. Go to mr. About gray. I read recently a pretty good postin the washington that talked about hundreds of thousands of borrowers of Student Loans whose personal information, their Social Security numbers, detailed financial information, was left exposed by the department of education for like six months. These are people looking for some relief. Either they had been taken byantage of or exploited forprofit universities. They had to basically open the komodo, these applicants looking for relief, yet we left all of their Information Available for whoever would tap into it. I would like to hear from mr. Gray on that. , given the history here , and we all know what it is, just horrific. Encryptedt even Social Security numbers. It was just an unmitigated disaster. We continue to suffer from that today because of all the people we exposed who had asked for security clearance. The people who do the most sensitive work in our government. I would like to hear from mr. Gray and also someone who could opm. On behalf of rep. Connolly will ask mr. Gray to go first, then call on ms. Martonara. That thati will share article is incorrect. The department did not leave that open for many months. What really happened was we had a situation where a file share was inadvertently left open to internal department only please. Department only employees. There was no external access. It was one element. We did report as required. It is a low risk incident. As i briefed this committee on friday, it is a situation like being in a bank where a bank has a fault. Every employee who can go into that fault is interested fully. Is a trusted employee. They have fingerprints, agreements, Records Management training. Employee situation an recognized that a safety deposit box and deposit that vault was unlocked. Did every person have a need to know . Mr. Gray every employee is vetted to be able to access information. Needed toemployee access that. You have got to tighten that up. Canight, right we tighten it up, right . Mr. Gray yes. Let me go to opm. Thank you for the question. Diligently to work opm infrastructure, great to upgrade our infrastructure. We are struggling to make sure levels appropriate staff to support all of the systems we are maintaining. One of the Biggest Challenges we have is that we are Still Department of defense, while we ing our systems. The National Investigations systems on all of their daily operations as well as all of the desktopand dents and support services. Have that able to mission over to the department of defense, that will give us the opportunity to be able to mission andcore upgrade the services we deliver our own mission. That is a fair answer. , for the, mr. Chairman indulgence. Mr. Lynch, if i could followup on that question . I understand the sequence in with the department of defense. But when we go back to the original breach and were not there. Part of the problem is we had software for protection, einstein. It was einstein 2 that was not installed. That had nothing to do with the defense department. That is a management issue about getting around to it, prioritizing it. You have a moment to explain to the committee that that attitude has changed. Ms. Martorana i can assure you that the rigor and discipline within the current opm team is extraordinary. We would not have been able to execute something as complex as our mainframe migration without having a disciplined management cio and an Extraordinary Team that is doing a diligent job diligent job on a daily basis. Can we do better . We can always do better. I. T. Areas i. T. Is one of those areas where you can always improve. But the team is extraordinary. We are utilizing every aspect available to us. Our cyber team is extraordinary. Do Everything Possible to safeguard every asset within our environment. Thetilize the best tools of federal government. I think you can rest assured all, at this time, safeguards and standards are being operated at the highest level. Rep. Connolly the chair now returning our colleague, the gentleman from , per fiver. Palmer minutes. Mr. Palmer . Rep. Palmer can you hear me now . Rep. Connolly yes, we can. Is your video on . There you are. Rep. Palmer got me . First of all, i want to complement mr. Lynch on his library. That is impressive. Rents it. He rep. Palmer there was a report submitted before the u. S. China review commission, about the top seven i. T. Providers sourced over 57 over 51 of its material from china since 2012. I want to ask you if you think this poses a significant economic and National Security risk . Risk tois a significant National Security. We have work ongoing related to the i. T. Cyber supply chain. Majority of the agencies have not instituted internal controls. We are going to be making more than 100 recommendations associated with this. To ourdoes pose a threat nation. Raised the question about the brief at about the breach at opm. I think there are still questions about that. Personal identification information out there. What would the budgetary impacts be of shifting Technology Acquisitions away from china . I am not in a position to answer that question. We have not done work specific to that so im not in a position to answer that with specific facts. Roat, would ms. You have an idea about that . Ms. Roat i do not. Rep. Palmer that is something we need to get an estimate on. There is a tremendous amount of talk about shifting the supply chain out of china. Toecially when it comes materials that are critical to nationalmy and defense. We spent 80 of our budget on maintaining antiquated systems, is that correct . That is correct. Is. Palmer and 51 of that sourced from china. This is something, and i am going to make this request to harris, either your agencies come up with the estimate or you work together. But i think we need to note what it will cost us to shift our i. T. Supply chain away from china. I would appreciate it if we could get a response from you. Knows know what let us when you start working on it. We have also recommended congress implement a supply Chain Management strategy. Direct agencies such as the Census Bureau to renew to review methodologies for publishing detailed supply chain data to better document the country of origin. This is for all of the witnesses. Are any of you aware of any current actions the federal government is taking towards these arithmetic these recommendations . Ms. Harris i dont. That work is out of the scope of what i am doing for this committee. So i will have to take that for the record to see if there is a better expert within gao to answer that for you. Rep. Palmer mr. Gray . That would be outside of your area of expertise, too. I will go to ms. Roat. Do you know where we are on that . Ms. Roat right now, we are working very closely with agencies to look at their supply chain, briefing them on the requirements of section 889. Working closely with the agencies. That work is ongoing and will continue. Rep. Palmer is there specific work being done on the i. T. Systems . Ms. Roat again, we are working with the agencies to understand what the impact is and understand if there is equipment that needs to be upgraded, that sort of thing. That is underway right now. Palmer i think the chairman and yelled back. I think he raises a good point about the need for coordination so we are not retiring legacy systems with 150 systems that can coordinate, cant be encrypted, cant have different requirements. And the cio by omb to make sure we are making decisions in the future both in the cyber realm in terms of interoperability and coordination. Very important. Mr. Chairman, if i may respond to that . You are absolutely right about the interoperability among federal agencies but it also should extend to the state. In my previous experience on the oversight committee, we saw multiple examples to have that interoperability between state and federal agencies. Rep. Connolly you are quite correct and we are certainly seeing that in unemployment i. D. Systems all across the country. There are at least a dozen that still use cobalt. The only good thing about that, i understand the chinese dont know how to hack into cobalt. But millions of americans not getting their payments in a timely fashion, which creates a snowball effect. The chair now recognizes the gentleman from maryland, mr. Harassmen mr. Raskin. Mr. Raskin. Rep. Raskin mr. Chairman. This very calling important hearing. In june of last year, the day hearing,e fitara guidance was issued which narrowed the definition of a data center. This eliminated reporting on more than 2000 facilities, including facilities omb had previously cited as cybersecurity risks. It diminishes our ability to exercise oversight over potential security risks. In her opening statement, ms. Consolidationat would save us billions in taxpayer dollars. Gao remain does concerned with omb decisions to change the definition of data center and to no longer require agencies to include smaller data centers in inventories . Ms. Harris we remain concerned about the new definition of data centers. When agencies stop reporting on these data centers, they will fall under the radar. They will stop looking at them in general and that is where the vulnerability risks increase because they are not looking at paying attention to these centers. Omb changes the guidance and the longerlasting subcommittee and gao look toward progress in wouldu tell me why omb change the definition of a data center when doing so could impair cyber ability and increased talks increase costs for the taxpayer . Omb updated the definition of data center to better align with Industry Standards. If you look at the definition of data center, those areas where there was just may be a router and a switch in a closet somewhere, those were not classified as true data centers. Modernization the across the federal government and agencies closing data centers, they are taking big steps to upgrade their infrastructure and address the cybersecurity concerns across the environment. As you shut down data centers, there are many steps behind it. Even as we chain the devon change the definition, modernizing it shutting down data centers per Industry Standard takes a lot of work. Infrastructure upgrades will continue as we close data centers. Rep. Raskin will you commit to working with the subcommittee to track data centers in a way that is consistent with the law and gao recommendations to improve cybersecurity and maximize savings . Yes. Rep. Raskin ok. Agencies required to implement the data center, a total of 4. 7 billion in tax savings from fy to from fy 12 through 19. They reported in august of last year that they met or planned to meet ombs fiscal 19 savings goal. Do we now know whether agencies met their fiscal year 2019 costsaving goals . If not, when will we have that knowledge . Ms. Roat i will work with omb on the data center and metrics to make sure we have Accurate Information for that. But we continue to track what the agencies are reported. Rep. Raskin thank you. Ms. Harris, is there anymore potential for cost savings through dater Center Data Center consolidation . Ms. Harris yes, we think there is. Rep. Raskin why is the administration chosen to halt its efforts in this field . Unfortunately, i dont feel comfortable speculating as to why the omb would make that decision. Again, backtracking on identifying and including things like servers in classes, and considering that to be a data center is something we disagree with omb on. That is something that should be counted. It may not be an opportunity for consolidation but it still poses a threat from a cybersecurity standpoint. The morethat having inclusive definition is the way to go. Rep. Raskin can you construct a barrier to Cloud Adoption in your approach . Ms. Harris the barrier to the cloud the number one barrier is agencies having it as a priority. We found, in our work on Cloud Adoption, that agencies dont the robust have processes in place to take a look at all these estimates in terms of whether or not they would be eligible candidates for the cloud. We have made recommendations to agencies in implementing those processes. Make suree to work to those agencies are the process of implementing the recommendations we have made. Rep. Connolly thank you very much. Your point about datacenter consolidation is very important. I agree with you. Roat, iust say, ms. Wrote that section, so i care about it. I am not going anywhere. Were going to insist on a robust of data centers so we consider the goal of consolidation. Savings and they can be used internally for reinvestment. And we will work with you, but we are not going to count squishing this in the definition of people get off the hook and arent accountable for the data centers we are trying to consolidate. I hope you will take that message back. The gentleman from wisconsin is recognized for five minutes. Do you see me . Chair connolly we can hear you, we cannot yet see you. You might have to put up with just hearing me. Chair connolly there you are. I got in a little bit late. Is miss martorana still around . Chair connolly she is right here. Good, good. I understand you spent a lot of your career in the private sector and focused on improving the digital experience. Given opms importance to the federal workforce, can you describe how you approach digital modernization . There is an enormous opportunity for us at opm to better serve our customers. Across a Broad Spectrum from continuing to improve the opportunities for job seekers all the way through to retirees. There are numerous opportunities, but the most important place to start is on a firm platform. Starting with the foundational investments that are required in people and technology, to start that digital modernization journey. Ok. [audio garbling] hello . Chair connolly could you repeat your question, it sounds like you are in a railroad train. Im sorry, i will speak up. Both of your agencies this is for ms. Martorana and jason gray. Both of your agencies get cs in cybersecurity, which means you got improvement. Theres room for improvement. What steps are you taking to comply with this critical tool for ensuring Effective Security across the government . I will start. We have taken a fourphased approach, focusing on our processes and making sure we are refining our processes to not only comply with cisma, but we have been focused on strengthening our policies and have a lot of tools that we continue to use with defense in depth. Equally as importantly, as was mentioned earlier, education. Focusing on making sure our staff understand that and the department as a whole understands the importance of cybersecurity. We have developed and implemented a cyber risk scorecard with near realtime metrics that show and align directly with the cybersecurity framework. Which is visible to our system owners so they can see how they are doing, to the comment that we are measuring the risk and when something is red, its not necessarily a bad thing. Its an indication that something needs work and gets reefed to the deputy secretary and all assistant secretaries, so it is focused on process improvement, policy improvement, leveraging the tools we have in making sure we are educating everyone at the department on the role of cybersecurity. Ok. I think i can mimic we are probably a little bit behind where the department of education is. Following in those footsteps, the people, the process, adding new technology and tools and significant training. We are consistently training our workforce to make sure the policies and processes we develop and the tools we are implementing our understandable and the entire workforce is comprehending that every single one of us are the best tools we have in keeping all of our Information Systems safe and secure. Chair connolly i think the train left the station. Thank you. The chair will recognize himself for his five minutes of questions. You are back . Did you have one more question . Yes. Nearly all agencies have gotten as in the Software Licensing metric. Do you think it is time to remove this metric and if so, how do we evolve the metric to capture some of the costsaving aspects like eliminating unused Software Licenses . That is a great question. Given that all agencies except opm have received an a, it may be time to retire that particular metric or evolve it. Certainly when it comes to the evolution of the metric, one of the key things we will have to work with this committee on as well as with omb is the availability of governmentwide data that is publicly available because that is what is used to generate these scores or these grades. That would be a key factor in what we could use to potentially evolve the Software Licensing grade. Thank you very much. Great hearing and thank you for putting this together. Chair connolly thank you. Ms. Harris, despite the progress in the scorecard, we really dont seem to have made progress in retiring legacy systems. Why not and what will it take to seriously incentivize agencies to do that . Mr. Chairman, i think what we need to see greater progress on is the working capital Fund Establishment because thats an important mechanism agencies can use to transform their i. T. And modernize it. We would like to see a more aggressive push by the agencies that have not yet implemented those working Capital Funds to do those as quickly as possible so that they are able to put those savings that they generate from Software Licensing, Data Center Consolidation into that fund so they can use those moneys and the flexibility be able to and the flexibilities associated with them to modernize their platforms. Mr. Gray, you will forgive me but i think you held the breach. The breach may not have been huge, but this committee had a hearing on your agency, or including your agency a few years ago and what came out surprisingly was the department of has a huge database, 40 million americans. You apply for a student loan, you have got my Financial Data. My checking account, all kinds of other Financial Data that is sensitive. That is a juicy target for some people up to no good. The fact we had this breach raises the question about how secure is that data, that database . The fact that you get a c minus in cyber, one of your lower thats, eight underscores may be i need to be concerned. I wanted to give you an opportunity to talk about that it underscores that maybe i need to be concerned. I wanted to give you an opportunity to talk about that. What happened in 2017 is different to what happened this time. Million folders, a user inadvertently allowed people other than the department permissions. If you have a situation where people have the ability to go through and disable again quote i will allow and say i will allow soandso to have access to this they reported it externally to the department. This would be like an individual at the tsa seeing a suspected dish a suspicious a suspicious package, they reported externally and it went to the media. When it wasntified identified to me we took care of it right away. We have scrubbed, reese grabbed, scrubbed. Re come to the same conclusion this is a low risk it was for trusted employees. We had a trusted employee who saw something and instead of doing what they were supposed to do, they ticket external. To get to your question about cybersecurity, of course they took it external. To get to your question about cybersecurity, of course cybersecurity is in central. We have gone through what processes can we improve . Are there add additional tools . We have data loss prevention. Entrusted to. Chair connolly you have legacy systems at the department of education. Yes, one. I have. Chair connolly wow. I have two conclusions from that. One is you are younger than i thought or the other is gosh, that puts an exclamation on it. From your point of view, and you have had experience in other agencies, lets stipulate we need a working capital fund. Other than that, what is it going to take . My experience is management needs to put a priority on something if its going to happen. There has to be a multiyear commitment if that is what it is going to take. Youve got to back it up with a budget commitment every year. From your point of view, what is it going to take to retire that legacy system . To continue on the path we are on, there is a next gen student aid system which is well underway. That acquisition, that entire group of projects requires eliminating that system. It is actually on the roadmap of where we are going. Enroll mark brown has been doing a great job working closely, both of our teams working closely together from an oversight standpoint to make sure what is fed into our governance process. We have the support. Funding is something we can always use, but we have the absolute support from the secretary and to address that legacy system, because we do recognize it is old and needs to be improved. Chair connolly it is an enormous opportunity cost not owing to you but the rest of the federal government. If we are spending 80 its not a line item, but that is roughly our budget for i. T. Every year and 80 is going just to maintain legacy systems. No wonder weve got some of the problems weve got. Miss martorana, you are relatively new to opm. Where did you come from . May i ask . The United States Digital Service. I spent two years at the department of Veterans Affairs prior to joining. Chair connolly private sector experience before that . Yes. Chair connolly opm got a c or c overall grade. Given the fact that you are the hr agency for the entire federal government and, as mr. Lynch mentioned, really Sensitive Data on federal employees, on people seeking security, a breach there, what could go wrong with that . Sadly, we had the biggest single breach in the history of the federal government with your agency several years ago. There was a sense, not about you personally, but that the agency remains surprisingly less then driven by a mission to make sure that never happens again and we are the exemplar for the federal government as opposed to a lay guard. I heard you like your team and they are committed and you feel good about where you are headed, but a c is not a great overall grade given your mission and maybe put more positively, as we look to the future, what will it take to get to an a from your point of view . We are a c , so a slight correction. With the mainframe platform migration we just completed and the coming data Center Closures that that will trigger, we had a failing grade in software inventory, but through the covid supplemental, we were able to procure software that will allow us to do a software inventory. We will be able to check that off of our list which should get us to approximately a b score within the next six months. So we are making pretty significant progress. Security is our primary focus. Every single day, we keep those systems safe, secure, and operational. One of the Biggest Challenges we have is funding and personnel. To the question earlier about risk, one of the biggest risks we are facing in addition to those systems, the legacy systems, is we have many, many people in our workforce that are retiring. With those folks retiring and a lot of these systems documentation, systems being old and not being very properly documented, a lot of the knowledge of those old, complex legacy systems is retiring with the subject matter experts. I think we have multiple levels of challenges we have to face together. Funding multiyear funding so that we can retire those legacy systems and put in more modern technology, that will reduce risk. Continuing to upscale and train our federal workforce and inspire younger and different people to come into the federal workforce is a critical part of what is going to be needed for us to continue to secure and maintain and operate the systems. Chair connolly i certainly agree with you, and i would agree freezing wages, threatening to cut back in compensation, disparaging the work of the federal workforce, making it harder for people in the workplace to have appeals and representation, talking about extending a probationary period of one to two years, none of that is particularly appealing to young people on the College Campus to come work for the federal government. Its almost designed to accelerate the phenomenon. Some of us can delay because they are so driven with their mission and passionate about what they are doing, or they feel so discouraged and unappreciated and none of this was helped by a 35day shutdown, the longest in american history. So you come from the private sector, i come from the private sector. I dont know a ceo who would get far with his or her board disparaging the workforce, slashing compensation, and talking about discrediting their value and their work. No ceo i know would keep the job. You praise your workforce, you motivate your workforce, you incentivize your workforce. [indiscernible] chair connolly i want to thank you for the observations, thank you for the work we have done. We will stay in touch. Congratulations on progress and we certainly need omb to keep the pressure on and to be supportive. Weve got to come up with solutions to help agencies in addition to money, retire these legacy systems. They want to, they are motivated, but it is a big, big decision and a multiyear commitment in most cases. And quite disruptive in making that transition. So, we have to have some creative solutions. As we see the vulnerablities in our systems, they have to be addressed. Thank you to the first panel so much for being here today. Please stay safe and healthy. Were going to take a five minute break and convene the second and final panel of this hearing. Thank you

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.